• Journal of KIISE
• /
• v.44 no.1
• /
• pp.1-12
• /
• 2017

The continuously growing internet service requirements has resulted in a multitier system structure consisting of web server and database (DB) server. In this multitier structure, the existing intrusion detection system (IDS) detects known attacks by matching misused traffic patterns or signatures. However, malicious change to the contents at DB server through hypertext transfer protocol (HTTP) requests at the DB server cannot be detected by the IDS at the DB server's end, since the DB server processes structured query language (SQL) without knowing the associated HTTP, while the web server cannot identify the response associated with the attacker's SQL query. To detect these types of attacks, the malicious user is tracked using knowledge on interaction between HTTP request and SQL query. However, this is a practical challenge because system's source code analysis and its application logic needs to be understood completely. In this study, we proposed a scheme to find the HTTP request associated with a given SQL query using only system log files. We first generated an HTTP request-SQL query map from system log files alone. Subsequently, the HTTP request associated with a given SQL query was identified among a set of HTTP requests using this map. Computer simulations indicated that the proposed scheme finds the HTTP request associated with a given SQL query with 94% accuracy.

• The KIPS Transactions:PartC
• /
• v.18C no.3
• /
• pp.127-134
• /
• 2011

Malicious botnet has been used for more malicious activities, such as DDoS attacks, sending spam messages, steal personal information, etc. To prevent this, many studies have been preceded. But malicious botnets have evolved and evaded detection systems. In particular, HTTP GET Request attack that exploits the vulnerability of the application layer is used. ALAB of ALADDIN proposed by ETRI is DDoS attack detection system that HTTP GET, Incomplete GET request flooding attack detection algorithm is applied. In this paper, we extend Incomplete GET detection algorithm of ALAB and derive the optimal configuration parameters to verify the validity of the algorithm ALAB by the study of the normal and attack packets.

• Journal of KIISE
• /
• v.43 no.7
• /
• pp.827-833
• /
• 2016

HTTP Adaptive Streaming (HAS) is a technique that adapts its video quality to network conditions for providing Quality of Experience. In the HAS approach, a video content is encoded at multiple bitrates and the encoded video content is divided into several video segments. A HAS player estimates the network bandwidth and adjusts the video bitrate based on estimated bandwidth. However, the segment scheduler in the conventional HAS player requests video segments periodically without considering TCP. If the waiting duration for the next segment request is quite long, the TCP connection can be initialized and it restarts slow-start. Slow-start causes the reduction in TCP throughput and consequentially leads to low-quality video streaming. In this study, we propose a TCP-aware segment scheduling scheme to improve performance of HAS service. The proposed scheme adjusts request time for the next video request to prevent initialization of TCP connection and also considers the point of scheduling time. The simulation proves that our scheme improves the Quality of Service of the HAS service without buffer underflow issue.

• Journal of KIISE
• /
• v.45 no.2
• /
• pp.175-186
• /
• 2018

Recently, HAS (HTTP Adaptive Streaming) has been the subject of much attention to improve the QoE (Quality of Experience). In a high latency network, HAS degrades the QoE due to the lost RTT cycle since it replies with a response of one segment to the request of one segment. The server-push based HAS schemes of downloading multiple segments in one request cause QoE degradation due to the buffer underflow. In this paper, we propose a VSSDS (Video Streaming Scheme based on Dynamic Server-push) scheme to improve the QoE in a high latency network. The proposed scheme adjust video quality by estimating available bandwidth and determine the number of segments to be downloaded for each segment request cycle. Through the simulation, the proposed scheme not only improves the average video bitrate but also alleviates the buffer underflow.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.21 no.1
• /
• pp.39-52
• /
• 2011

An application-layer attack can effectively achieve its objective with a small amount of traffic, and detection is difficult because the traffic type is very similar to that of legitimate users. We have discovered a unique characteristic that is produced by a difference in client intention: Both a legitimate user and DDoS attacker establish a session through a 3-way handshake over the TCP/IP layer. After a connection is established, they request at least one HTTP service by a Get request packet. The legitimate HTTP user waits for the server's response. However, an attacker tries to terminate the existing session right after the Get request. These different actions can be interpreted as a difference in client intention. In this paper, we propose a detection algorithm for application layer DDoS attacks based on this difference. The proposed algorithm was simulated using traffic dump files that were taken from normal user networks and Botnet-based attack tools. The test results showed that the algorithm can detect an HTTP-Get flooding attack with almost zero false alarms.

• Journal of KIISE:Computer Systems and Theory
• /
• v.32 no.11_12
• /
• pp.717-721
• /
• 2005

With HTTP/1.0, a single request means a single HTTP connection so that the granular unit of dispatching is the same as real load. But with persistent HTTP connection, multiple requests may arrive on a single TCP connection. Therefore, a scheme that dispatches load at the granularity of individual requests constrains the feasible dispatching policies In this paper we propose a new connection dispatching polity for supporting HTTP/1.1 persistent connections in cluster-based Web servers. When the request of a base html file arrives, the dispatcher gets the subsequent load arriving on that connection using the embedded objects information. After the dispatcher stores the load information in Load Table, the dispatcher employs the connection aging strategy on live persistent connections on the passage of time. The results of simulation show about $1.7\%\~16.8\%$ improved average response time compared to existing WLC algorithm.

• Journal of Institute of Control, Robotics and Systems
• /
• v.10 no.9
• /
• pp.847-854
• /
• 2004

In this paper, It is studied to control and to monitor the remote system state using HTTP(Hyper Text Transfer Protocol) object communication. The remote control system is controlled by using a web browser or a application program. This system is organized by three different part depending on functionality-server part, client part, controller part. The java technology is used to composite the server part and the client part and C language is used for a controller. The server part is waiting for the request of client part and then the request is reached, the server part saves client data to the database and send a command set to the client part. The administrator can control the remote system just using a web browser. Remote part is worked by timer that is activated per 1 second. It gets the measurement data of the controller part, and then send the request to the server part and get a command set in the command repository of server part using the client ID. After interpreting the command set, the client part transfers the command set to the controller part. Controller part can be activated by the client part. If send command is transmitted by the client part, it sends sensor monitoring data to the client part and command set is transmitted then setting up the value of the controlled system.

• Journal of KIISE
• /
• v.45 no.1
• /
• pp.86-93
• /
• 2018

When multiple clients share bandwidth and receive a streaming service, HTTP Adaptive Streaming has a problem in that the bandwidth is measured inaccurately due to the ON-OFF pattern of the segment request. To solve the problem caused by the ON-OFF pattern, the proposed PANDA (Probe AND Adapt) determines the quality of the segment to be requested while increasing the target bandwidth. However, since the target bandwidth is increased by a fixed amount, there is a problem in low bandwidth utilization and a slow response to changes in bandwidth. In this paper, we propose a video quality control scheme that improves the low bandwidth utilization and slow responsiveness of PANDA. The proposed scheme adjusts the amount of increase in the target bandwidth according to the bandwidth utilization after judging the bandwidth utilization by comparing the segment download time and the request interval. Experimental results show that the proposed scheme can fully utilize the bandwidth and can quickly respond to changes in bandwidth.

• Journal of KIISE:Information Networking
• /
• v.28 no.1
• /
• pp.126-135
• /
• 2001

HTTP 프로토콜은 WWW에서 HTML(HyperText Markup Language)문서를 송수신하기 위해 사용하고 있는 애플리케이션 프로토콜로서 TCP를 수송계층 프로토콜로 이용하여 이루어지는 애플리케이션 계층 프로토콜 가운데 하나이다[12]. HTTP/1.0은 동일한 서버로부터 각각의 개체에 대하여 개별적인 TCP연결은 생성하기 때문에 다중의 요구를 비효율적으로 처리한다. 이러한 문제를 해결하기 위한 방안으로 제안된 HTTP/1.1은 TCP연결을 지속적인 연결(Persistent connection)이라는 개념을 도입하여 하나의 TCP 연결 상에서 다중의 요구(Request)를 처리하도록 하고 있다[9]. 네트워크가 발전됨에 따라 사용자가 늘어나고 다양해지면서 서비스의 차별화 문제가 중요한 문제로 대두되었다.[3.5] 본논문에서 제시하는 Diff-HTTP은 웹 서버에 서비스를 요청한 클라이언트들에게 차별화 된 서비스를 제공하기 위해서 사용자를 두 등급 기본등급과 우선 순위를 고려한 상위 등급으로 구분한다. 각 등급은 제한시간으로 차별화되고 상위 등급에 속한 클라이언트에게 제한된 시간을 증가 시켜 지연을 최소로 함으로써 고품질의 서비스를 제공하는 방안을 제시한다.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.8 no.5
• /
• pp.1801-1816
• /
• 2014

Because HTTP-related ports are allowed through firewalls, they are an obvious point for launching cyber attacks. In particular, malware uses HTTP protocols to communicate with their master servers. We call this an HTTP-based command and control (C&C) server. Most previous studies concentrated on the behavioral pattern of C&Cs. However, these approaches need a well-defined white list to reduce the false positive rate because there are many benign applications, such as automatic update checks and web refreshes, that have a periodic access pattern. In this paper, we focus on finding new discriminative features of HTTP-based C&Cs by analyzing HTTP activity sets. First, a C&C shows a few connections at a time (low density). Second, the content of a request or a response is changed frequently among consecutive C&Cs (high content variability). Based on these two features, we propose a novel C&C analysis mechanism that detects the HTTP-based C&C. The HAS-Analyzer can classify the HTTP-based C&C with an accuracy of more than 96% and a false positive rate of 1.3% without using any white list.